Stop sending emails to users who can't read commit

This is to ensure that only users will be able receive an email if they can read a commit from the repository even if they are watching the activity of it.

Stop sending emails to users who can't read commit
This is to ensure that only users will be able receive an email if they can read a commit from the repository even if they are watching the activity of it.
19933710 · Patrick Bajao · dc884879 · 19933710 · 19933710 · 19933710
Commit 19933710 authored Apr 16, 2019 by Patrick Bajao
3 changed files
--- a/app/models/notification_recipient.rb
+++ b/app/models/notification_recipient.rb
@@ -123,15 +123,19 @@ class NotificationRecipient
    return @read_ability if instance_variable_defined?(:@read_ability)
    @read_ability =
-      case @target
+      if @target.is_a?(Ci::Pipeline)
-      when Issuable
-        :"read_#{@target.to_ability_name}"
-      when Ci::Pipeline
        :read_build # We have build trace in pipeline emails
-      when ActiveRecord::Base
+      elsif default_ability_for_target
-        :"read_#{@target.class.model_name.name.underscore}"
+        :"read_#{default_ability_for_target}"
-      else
+      end
-        nil
+  end
+  def default_ability_for_target
+    @default_ability_for_target ||=
+      if @target.respond_to?(:to_ability_name)
+        @target.to_ability_name
+      elsif @target.class.respond_to?(:model_name)
+        @target.class.model_name.name.underscore
      end
  end

--- a/changelogs/unreleased/security-pb-email-watchers-no-access.yml
+++ b/changelogs/unreleased/security-pb-email-watchers-no-access.yml
+---
+title: Stop sending emails to users who can't read commit
+merge_request:
+author:
+type: security
--- a/spec/models/notification_recipient_spec.rb
+++ b/spec/models/notification_recipient_spec.rb
@@ -9,11 +9,43 @@ describe NotificationRecipient do
  subject(:recipient) { described_class.new(user, :watch, target: target, project: project) }
-  it 'denies access to a target when cross project access is denied' do
+  describe '#has_access?' do
-    allow(Ability).to receive(:allowed?).and_call_original
+    before do
-    expect(Ability).to receive(:allowed?).with(user, :read_cross_project, :global).and_return(false)
+      allow(user).to receive(:can?).and_call_original
+    end
+    context 'user cannot read cross project' do
+      it 'returns false' do
+        expect(user).to receive(:can?).with(:read_cross_project).and_return(false)
+        expect(recipient.has_access?).to eq false
+      end
+    end
+    context 'user cannot read build' do
+      let(:target) { build(:ci_pipeline) }
+      it 'returns false' do
+        expect(user).to receive(:can?).with(:read_build, target).and_return(false)
+        expect(recipient.has_access?).to eq false
+      end
+    end
+    context 'user cannot read commit' do
+      let(:target) { build(:commit) }
+      it 'returns false' do
+        expect(user).to receive(:can?).with(:read_commit, target).and_return(false)
+        expect(recipient.has_access?).to eq false
+      end
+    end
+    context 'target has no policy' do
+      let(:target) { double.as_null_object }
-    expect(recipient.has_access?).to be_falsy
+      it 'returns true' do
+        expect(recipient.has_access?).to eq true
+      end
+    end
  end
  context '#notification_setting' do